Dan Guido SOURCE Boston 2011

https://www.isecpartners.com

Dan Guido SOURCE Boston, 04/20/2011

The Exploit Intelligence Project

2

Intro and Agenda

I work for iSEC Partners

NYC, Seattle, SF – specialize in Application Security

I don’t have a product to sell you

Today, I’m going to be sharing data and my analysis of attacker capabilities and methods

An informed defense is more effective and less costly

EIP shows that intelligence-driven, threat-focused approaches to security are practical and effective

3

WARNING!

The commentary is really important for this talk.

If you’re a reporter, please contact me and I’ll be happy to provide that commentary

for any section you’re interested in:

dguido@isecpartners.com

We Have An Analysis Problem

Or, you’re counting the wrong beans!

5

Let’s Talk About Vulnerabilities

*IBM X-Force 2010 Trend and Risk Report

6

How many vulnerabilities did you have to pay attention to in 2010?

7

since 2006

8

Vulnerability Origin

*Secunia Yearly Report 2010

9

Affected Vendors (2010)

5

5

2

1

Oracle

Adobe

Microsoft

Apple

10

Wheel of Vulnerability Fortune

*Secunia: The Security Exposure of Software Portfolios

11

0

1

2

3

4

5

6

TargetedAttacks

ZDI ProminentResearcher

PersonalWebsite

KnownBehavior

Discoveredby Malware

Where or how were massively exploited vulnerabilities first discovered in 2010?

12

Google Chrome is Insecure!

*Bit 9 Research Report: Top Vulnerable Apps – 2010

13

How many vulnerabilities were massively exploited in Google Chrome in 2010?

Are we doing something wrong?

Yes, you’re doing it backwards!

15

We Have to Start at Attacks

Where do bad guys get their info from?

How do bad guys view the new vulns that come out?

How effective are my defenses against this attacker?

1. 2. 3.

Maslow’s Internet Threat Hierarchy

# of Attacks Data Lost

APT

Targeted

Mass Malware

IP

$$$

Banking Credentials

Mass Malware

How does it work?

18

Kill Chain Model

Systematic model for evaluating intrusions

Helps us objectively evaluate attacker capabilities

Align defense to specific processes an attacker takes

Typically used as a model to defend against APT

Evolves beyond response at point of compromise

Assumes unfixable vulnerabilities

First described by Mike Cloppert

19

Recon

20

Weaponization

5-20 exploits, $200-$2000 dollars

21

Delivery

22

Exploitation

23

Installation

24

Command and Control

25

Actions on Objectives

Leads to Cyber Pompeii

27

Process Overview Recon

Weaponize

Delivery

Exploit

Install

C2

Actions

Millions of Infected Sites

Thousands of IPs

Thousands of Vulnerabilities

Millions of Malware Samples

Thousands of IPs

N/A

<100 Exploits The last point that you have control of your data

Existing defenses attack the most robust aspects of mass malware operations

Going on the Offensive

29

Exploit Kit Popularity (2011)

*ThreatGRID Data

Exploit Kit Popularity

AVG Threat Labs

Malware Domain List

Krebs on Security

Malware Intelligence

Contagio Dump

Malware Tracker

M86 Security

…

Data Sources

Blackhole

Bleeding Life

CrimePack 3.1.3, 3.0, 2.2.8, 2.2.1

Eleonore 1.6, 1.4.4, 1.4.1, 1.3.2

Fragus

JustExploit

Liberty 2.1.0, 1.0.7

LuckySploit

Phoenix 2.5, 2.4, 2.3, 2.2, 2.1, 2.0

SEO Sploit pack

Siberia

Unique Pack

WebAttacker

YES

Zombie

Data Processing

Decode Jsunpack

Generic JS Unpacker

Decodeby.us PHP De-obfuscation

Detect YARA Project

Generic scanning engine

Relate SHODAN HQ

Python API for ExploitDB, MSF, CVE

Live Testing Vmware

Windows XP/7

Note: All free tools except VMWare/Windows

33

Jsunpack/YARA Rules

rule IEStyle

{

meta:

ref = “CVE-2009-3672”

hide = true

impact = 8

strings:

$trigger1 = “getElementsByTagName” nocase fullword

$trigger2 = “style” nocase fullword

$trigger3 = “outerhtml” nocase fullword

condition:

all of them

}

34

Jsunpack vs Eleonore 1.4.1

vuln_search.py

CVE Name ID

Exploit DB Author Date ID Name

Metasploit Authors Description ID Name Rank

References Vendor URLs (ex. MSB) ZDI Other Notable URLs

Powered by:

36

Sample Results: CVE-2010-1818 Exploit DB

08/30/2010 Ruben Santamarta Apple QuickTime "_Marshaled_pUnk" Backdoor 14843

Metasploit Ruben Santamarta, jduck Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution “… exploits a memory trust issue in Quicktime…” exploit/windows/browser/apple_quicktime_marshaled_punk Rank: Great

Refs http://reversemode.com/index.php?option=com_content&task=

view&id=69&Itemid=1 OSVDB-67705

37

Recap

Mapping of Exploit Kits -> CVEs + Metadata

Targeting Trends

Java from 2008 to Present

39

Targeting Trends

Java, Round One

12-08 – Prominent researcher finds CVE-2008-5353

08-09 – Wins a Pwnie (researcher interest runs high)

08-09 – ZDI submissions start trickling out

11-09 – 1 kit incorporates CVE-2008-5353

40

Java, Round Two

11-09 – ZDI publishes 2nd batch of Java vulns CVE-2009-3867

01-10 – Three kits integrate 1st and 2nd vulns CVE-2008-5353 and CVE-2009-3867

04-10 – 3rd batch of researcher disclosures CVE-2010-0886, CVE-2010-0840, CVE-2010-0842

Back and forth between researchers/malware keeps interest in Java running high

41

From April 2010 onwards, new Java exploits are added to almost all popular exploit kits

42

Java Today

Popularity

11 out of 15 kits include at least one Java exploit (73%)

7 out of 15 kits include more than one (46%)

Where did this trend come from?

Who followed who? The malware or research community?

Why can we even compare these two groups together?

What is next?

Java and Flash will continue to be a pain point

Quickest path to install malware in IE and Firefox

43

0

1

2

3

4

5

6

TargetedAttacks

ZDI ProminentResearcher

PersonalWebsite

KnownBehavior

Silent Patch

The New Trend: more exploits are being rapidly repurposed from targeted attack campaigns in 2010-2011

Capabilities Assessment

If we only had a time machine

45

Optimized Defense

Jan 1, 2009 – what can we put in place to mitigate all exploits for the next two years? Restrictions: no patching allowed

2009 recap Internet Explorer 7, Firefox 3.0

Adobe Reader 9

Java, Quicktime, Flash, Office 2007

Windows XP SP3

Dataset represents 27 exploits

46

Slice and Dice

Memory Corruption

(19)

Logic (8)

Partition exploits based on mitigation options

47

19 Memory Corruption Exploits

5 unique targets

IE, Flash, Reader, Java, Firefox, Opera

Do I have my sysadmins adhere to patch schedules or have them test and enable DEP in four applications?

Patch schedules: Monthly, Quarterly, Ad-hoc

Two years: 60+ patches in these apps

I choose Data Execution Prevention (DEP)

Good choice! It mitigates 14 exploits.

48

8 Logic Flaws

4 unique targets

Java, Reader, IE, Firefox, FoxIt

Do we have a business case to justify getting repeatedly compromised by mass malware?

No? Remove Java from the Internet Zone in IE

Configure Reader to prompt on JS execution

“Disallow opening of non-PDF file attachments”

This leaves two exploits, one in IE and one in FF

49

Most Severe Exploits 2009-2010

IE Help Center XSS

Firefox SessionStore

Reader libTIFF

Reader CoolType SING

Flash (IE) newfunction

Quicktime (IE) _Marshaled_pUnk

Java getSoundBank

50

Enhanced Mitigation Experience Toolkit

Microsoft utility that adds obstacles to exploitation On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter

Distributed as an MSI, controlled via CLI or Registry

Apply it to one application at a time Harden legacy applications

Temporary protections against known zero-day

Permanent protections against highly targeted apps

http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-03-35-03-78/Users-Guide.pdf

51

Most Severe Exploits 2009-2010

IE Help Center XSS

Firefox SessionStore

The Firefox exploit is only in one kit. We can make an informed decision about the amount

of risk we are assuming.

52

Intelligence-Driven Mitigations

Easy mitigations (22 out of 27 exploits) DEP on IE, Firefox, and Reader

No Java in the Internet Zone

Disallow opening of non-PDF file attachments

Hard mitigations (all the rest) EMET on IE and Reader, the two most attacked apps

Upgrade to IE8 for that pesky Help Center XSS

Disallow Firefox, patch it, or accept the risk

Extremely limited susceptibility going forward

53

Taking It Further

Mass malware exploits are:

1. Result of users browsing internet sites

2. Shortest path to install malware w/ a single exploit

Malicious

HTML

Google

Chrome

IE8

IE7, Plugins,

Java, Flash,

etc.

DEP

Bypass

DEP

Bypass

Sandbox

Escape

Install

SpyEye

*DDZ – Memory Corruption, Exploitation and You

54

Google Chrome Frame

“X-UA-Compatible: chrome=1”

55

Google Chrome Frame Internet sites standardized around HTML/JS

This is why you don’t need IE6 or IE7 at home

For internet sites, add HTTP header w/ Bluecoat

Browser is sandboxed Uses auto-updated Google version of Flash No other plugins are loaded

Maintain whitelist of internet sites that need IE

Typically, established vendor relationships

All intranet websites will load with IE as usual

Seamless to the user, mitigates all exploits in use

Maslow’s Internet Threat Hierarchy

# of Attacks Data Lost

APT

Targeted

IP

$$$

Banking Credentials

Now you’re ready to defend against more advanced attackers

57

Intelligence-Driven Conclusions Don’t wait to act with Flash and Java Pay attention to targeted attack disclosures in 2011

Force malware authors to use multiple exploits Seriously consider Google Chrome Frame

Are your consultants/MSSPs/scanners evaluating vulnerabilities the same way that attackers are?

Intelligence-Driven Response Informed defense is more effective and less costly Threat-focused security is practical Attack data is necessary to adequately model your risk

58

Thanks Rcecoder, Mila Parkour, Francois Paget, Adam Meyers

Exploit Pack Table on Contagio Dump & Exploit Kit Source

Mike Cloppert and Dino Dai Zovi Inspiration, ideas, and encouragement

Chris Clark Getting started with the research process at iSEC

John Matherly Creating SHODAN and fixing my bugs

Dean De Beer ThreatGRID data, screenshots, and background material

59

References and Q&A Updates with more data at SummerCon, 6/10

Related Presentations (online) Memory Corruption, Exploitation, and You – DDZ Intelligence-Driven Response to APT – M. Cloppert Any Mandiant Presentation

Related Presentations (at SOURCE) 2011 Verizon Data Breach Report, Hutton Fuel for Pwnage, Diaz and Mieres Dino Dai Zovi Keynote

dguido@isecpartners.com

Appendix

61

Frequently Asked Question #1

Q: What do you think about network detections?

A: Apply the same analysis process (kill chain) to the adversary you care about and determine major source of overlaps in intrusions. You may find better indicators than simply IP addresses. ie., “Hey, all the malicious domains attacking me are

registered with the same whois data.”

or, “All the domains that compromise me have low TTL values in common.”

See some of Mike Cloppert’s writings

See ThreatGRID when it comes out

62

Frequently Asked Question #2

Q: How can we keep up with this data? You did a point in time assessment, but I want this going forward.

A: This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now.

63

Frequently Asked Question #3 Q: Aren’t you cheating by saying we should use EMET to mitigate past

exploits?

A: If we were smart enough to enable mitigations like DEP, we would have had

a solid 1.5 years where we weren’t affected by mass malware mem corruption exploits at all, buying us a huge amount of time to investigate other mitigations techniques.

The exploits that EMET was needed for came after the tool was released in Oct 2009. If you had someone performing this analysis, you could have observed the exploits that bypassed DEP and responded the same way I did. Intelligence gathering is not a static process, we have to continue collecting and responding to new information.

There are more ways to use this intelligence. For instance, since we know that Flash and targeted attacks are so rapidly incorporated into mass exploitation campaigns, we would have known on April 11th that CVE-2011-0611 would be a significant issue. The patch came out on April 15th, but I doubt many orgs patched over the weekend or enabled other mitigating options before it was massively exploited on April 18th. With this data in hand, they would have realized the seriousness of the original event on the 11th.

64

Frequently Asked Question #4

Q: Future analysis?

A:

How [exactly] do researcher disclosures correlate with massive exploitation?

Are the number of bugs exploited as zero-day increasing? Why?

Do researchers follow zero-day disclosure trends or vice-versa?

Exactly how much exploit code is modified from public PoC’s before being integrated into a kit?

Expect new results some time in June